Bills Introduced – 09-28-17

Yesterday, with both the House and Senate preparing to leave for the weekend, there were 68 bills introduced. Of these, two may be of specific interest to readers of this blog:

S 1885 A bill to support the development of highly automated vehicle safety technologies, and for other purposes. Sen. Thune, John [R-SD]

S 1900 A bill to require all persons who acquire, maintain, or use personal information to have in effect reasonable cybersecurity protections and practices whenever acquiring, maintaining, or using personal information in commerce, and for other purposes. Sen. Blumenthal, Richard [D-CT]

S 1885 was introduced with a fair amount of fanfare and media buzz (see here for example). Thune’s press release includes links to a copy of the bill and a summary of its provisions. That summary explains the cybersecurity provisions this way:

“This section [§14] would require manufacturers of HAVs [Highly Automated Vehicles] and ADS [Automated Driving Systems] to develop and execute a written plan for identifying and reducing cybersecurity risks to the motor vehicle safety of such vehicles and systems. This section would also authorize the Secretary to work cooperatively with manufacturers to develop a policy for coordinated disclosure of cybersecurity vulnerabilities (such as bug bounty programs), and it would direct other federal agencies researching cybersecurity risks associated with HAVs to coordinate with the Secretary on their findings.”

The GPO version of the bill has not been published, but I will probably be reviewing the bill this weekend since it is scheduled for consideration in Thune’s Commerce, Science, and Transportation Committee on Wednesday.

S 1900 will probably not be covered here since there are almost certainly no control system issues involved (I hope) but I am including it today as an example of potential congressional overreaction to cybersecurity incidents (almost certainly the Equifax fiasco here). If the bill does, in fact (and it probably does not) provide for cybersecurity standards for “all persons [emphasis added] who acquire, maintain, or use personal information” then we have a sweeping piece of cybersecurity legislation that would create more problems than it solves.